Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 505066 (CVE-2014-2532) - <net-misc/openssh-6.6_p1-r1 : AcceptEnv environment restriction bypass flaw (CVE-2014-2532)
Summary: <net-misc/openssh-6.6_p1-r1 : AcceptEnv environment restriction bypass flaw (...
Status: RESOLVED FIXED
Alias: CVE-2014-2532
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B4 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-03-19 08:32 UTC by Agostino Sarubbo
Modified: 2014-05-11 13:56 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-03-19 08:32:42 UTC
From ${URL} :

Common Vulnerabilities and Exposures assigned an identifier CVE-2014-2532 to
the following vulnerability:

Name: CVE-2014-2532
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2532
Assigned: 20140317
Reference: http://marc.info/?l=openbsd-security-announce&m=139492048027313&w=2

sshd in OpenSSH before 6.6 does not properly support wildcards on
AcceptEnv lines in sshd_config, which allows remote attackers to
bypass intended environment restrictions by using a substring located
before a wildcard character.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2014-03-20 05:54:57 UTC
openssh-6.6_p1 is in the tree.  probably is safe for stabilization after 6.4_p1.
Comment 2 Agostino Sarubbo gentoo-dev 2014-03-20 13:40:47 UTC
Arches, please test and mark stable:                                                                                                           
=net-misc/openssh-6.6_p1                                                                                                                       
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-03-20 18:17:42 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-03-20 18:17:49 UTC
x86 stable
Comment 5 Lars Wendler (Polynomial-C) gentoo-dev 2014-03-20 20:43:01 UTC
+*openssh-6.6_p1-r1 (20 Mar 2014)
+
+  20 Mar 2014; Lars Wendler <polynomial-c@gentoo.org> -openssh-6.6_p1.ebuild,
+  +openssh-6.6_p1-r1.ebuild:
+  Fixed hpn patch to not add a false patch level to ssh's version string
+  (6.6p2). Committed straight to stable where -r0 was stable.
+

Arches please continue stabilization of =net-misc/openssh-6.6_p1-r1
Comment 6 SpanKY gentoo-dev 2014-03-20 20:58:27 UTC
ia64 done
Comment 7 Jeroen Roovers gentoo-dev 2014-03-22 14:46:37 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2014-03-22 21:36:26 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2014-03-23 09:32:40 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2014-03-23 09:32:47 UTC
ppc64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-03-23 09:35:23 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-03-23 09:54:23 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 13 Agostino Sarubbo gentoo-dev 2014-03-23 09:56:23 UTC
Cleanup done.
Comment 14 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2014-03-23 12:04:10 UTC
Added to existing glsa draft.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2014-03-23 12:04:52 UTC
CVE-2014-2532 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2532):
  sshd in OpenSSH before 6.6 does not properly support wildcards on AcceptEnv
  lines in sshd_config, which allows remote attackers to bypass intended
  environment restrictions by using a substring located before a wildcard
  character.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2014-05-11 13:56:41 UTC
This issue was resolved and addressed in
 GLSA 201405-06 at http://security.gentoo.org/glsa/glsa-201405-06.xml
by GLSA coordinator Mikle Kolyada (Zlogene).